#!/bin/sh
#
# querycounter
# gsutter@zer0.org
# $Id: querycounter,v 1.1 2003/11/06 01:51:44 gsutter Exp $
#
# Reads BIND query log files in the format:
# 03-Nov-2003 19:17:05.836 XX+/127.0.0.1/22.26.228.26.in-addr.arpa/PTR/IN
# 03-Nov-2003 19:17:07.615 XX /63.227.227.224/www.freshports.org/A/IN
# 03-Nov-2003 19:17:12.397 XX /226.226.26.24/daily.daemonnews.org/AAAA/IN
#
# Outputs summary of top querents in the format:
# 4532 232.244.444.551     mail.domain.com
# 3788 466.42.45.192       cpe-66-1-165-152.ty.domain.net
# 1796 269.27.143.944      gw.domain.com

if [ "x$1" != "x" ]; then
  if [ -f $1 ]; then
    LF=$1
  else
    LF=/var/log/named-query.log
  fi
else
  echo "Usage: `basename $0` <query log file> [count]"
  exit 1
fi

if [ \( "x$2" != "x" \) -a \( $2 -gt 0 \) ]; then
  COUNT=$2
else
  COUNT=25
fi

TMP=`mktemp /tmp/querycounter.XXXX` || exit 1
TMPA=`mktemp /tmp/querycounter.XXXX` || exit 1

cat $LF | cut -d " " -f "2-" | cut -d "/" -f "2" | sort | uniq -c | sort -rn > $TMP

for i in `cat $TMP | awk '{print $1}'`; do
  TOTAL=$(($TOTAL+$i));
done

OLDIFS=$IFS
NEWIFS="
"

IFS=$NEWIFS
for i in `head -$COUNT $TMP`; do
  IFS=$OLDIFS
  J=`echo $i | awk '{print $2}'`
  L=`host -t a $J | grep "domain name pointer" | head -1 | awk '{print $5}'`
  if [ ! $L ]; then
     L="UNKNOWN.HOST"
  fi
  echo "$i	$L" >> $TMPA
done

# print the results

echo "Total accesses: $TOTAL"
echo ""
echo "Top $COUNT users:"
echo ""
head -$COUNT $TMPA

rm $TMP
rm $TMPA